Staff Product Security Engineer

Dive in and do the best work of your career at DigitalOcean. Journey alongside a strong community of top talent who are relentless in their drive to build the simplest scalable cloud. If you have a growth mindset, naturally like to think big and bold, and are energized by the fast-paced environment of a true industry disruptor, you’ll find your place here. We value winning together—while learning, having fun, and making a profound difference for the dreamers and builders in the world. We’re looking for a Staff Product Security Engineer who is passionate about partnering with engineers to assess the security risk of new products and features and build secure-by-default paved roads. As a member of the Product Security team, you will report to the Senior Manager of Product Security. Our mission is to minimize security risk while maximizing business velocity. This staff engineer will help oversee the strategic functions of two Product Security teams: Secure Design and Security Platform. Our Secure Design team enables DigitalOcean to build secure-by-design products. We leverage strong relationships with both product teams and the rest of security engineering to be successful. Our scope is primarily focused on reviewing early-stage decisions, helping develop threat models, scaling impact via automation, curating security patterns, authoring security guidance, training, and championing security initiatives. Our Security Platform team secures the development and environment of our engineers and production services. We achieve this by implementing controls that layer security into the groundwork of our engineering infrastructure, streamlining implementations, and measuring effectiveness. We help build the platform that ensures software development at DigitalOcean is safe, easy, and low-risk. You will collaborate with other security teams and the rest of DigitalOcean to guide secure architecture design, reduce security risk in the organization, and empower engineers to make informed security decisions. Security at DO means solving incredibly complex problems at a high-scale that have real impact for our customers, our products, and the larger internet community. W hat You’ll do: Threat model application designs and solutions and provide security risk assessments (60%) Provide deep technical expertise in software and network architecture during holistic assessments of security layers across infrastructure, application, people, and process. Collaborate with product managers, designers, and engineers to threat model and architect secure and resilient systems. Identify the trade-offs of different solutions and recommend the efficient design to achieve both functional goals and security requirements. Provide hands-on remediation guidance to development teams. Build secure-by-default guardrails for engineers (30%) Design and build internal tooling to provide engineering teams with secure-by-default configurations and libraries. Write robust, resilient, and maintainable software, primarily in Go and Python. You may sometimes work on a frontend. We do not believe in Security Obstructionism and carefully integrate a small number of vendor tools into our development pipelines. You will help drive the successful integration of these tools as well as build security initiatives around their data that empower engineers rather than add friction or blocking gates. Prioritize the user experience (our customers are internal dev teams) to ensure security’s libraries and services are the easiest, fastest way to get work done. Cultivate and promote a security culture (10%) Champion an internal security culture (developer training, internal CTFs, etc.). Mentor software engineering teams in security best practices. Help oversee our vulnerability management program ( we call it security debt ). Help DigitalOcean engineers understand how security events impact them. Do they need to worry about the next Log4j CVE? How does RetBleed im ... (truncated, view full listing at source)